Story #2873

Updated by Tom Clegg over 5 years ago

* Set owner_uuid to system_user_uuid on all permission links. This prevents users from having permission to view/alter permission links by virtue of having created them.
* Add get_permissions action to API server's ApplicationController. It accepts a single uuid and responds with a list of all permission links whose head_uuid is equal to the specified uuid.
** respond 404 if the object with the specified uuid does not exist _or_ is not readable by the current user (using the same before_filter stuff as the "show" action should take care of this)
** respond 403 if the current user does not have @manage@ permission on the specified uuid _or_ the referenced object's owner_uuid